R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 20, 2015

Newsletter Content FFIEC IT Security Web Site Audits
Web Site Compliance
NIST Handbook
Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- FBI admits it uses hacker tools to investigate crimes - It's been keeping software security flaws secret to keep tabs on suspects. That could end up making some members of the public less safe. http://www.cnet.com/news/fbi-admits-it-uses-hacker-tools-to-investigate-crimes/

FYI - FTC and Wyndham end hotel data protection feud - Resort chain promises to lock down customer info Bates Motel - Hotel chain Wyndham Resorts has agreed to settle its long-running case with the FTC over its handling of customer data. http://www.theregister.co.uk/2015/12/10/wyndham_hotels_settles_with_ftc/

FYI - Army National Guard announces 13 new cyber units across 23 states - The U.S. Army National Guard announced plans to activate 13 new cyber units that will be spread throughout 23 states by the end of fiscal year 2019. http://www.scmagazine.com/army-national-guard-announces-new-cyber-defense-measures-and-more/article/459965/

FYI - Keep it private: Security/privacy - What do you get when you mix the avalanche of data that pours from every computing crevice, the proliferation and interconnectedness of apps and portable devices such as Fitbits, persistent criminals out to steal information, lax or incomplete data protection laws and a population proficient in gaining access to and moving information around? http://www.scmagazine.com/keep-it-private-securityprivacy/article/458412/

FYI - Half of law firms do not have a data protection committee - As corporations struggle to prepare against massive breaches like those that have rattled the industry over the past year, two reports by a legal competitive intelligence group shed light on how perspectives are shifting among legal professionals. http://www.scmagazine.com/report-half-of-law-firms-do-not-have-a-data-protection-committee/article/460270/

FYI - Critical Infrastructure Protection: Measures Needed to Assess Agencies' Promotion of the Cybersecurity Framework, GAO-16-152, December 17. 

FYI - Information Technology: FDA Has Taken Steps to Address Challenges but Needs a Comprehensive Strategic Plan, GAO-16-182, December 17. 

FYI - Pentagon short-handed in fight against cyber attackers - The Pentagon is in desperate need of reinforcements to prepare to fight in cyberspace with many of its most highly qualified security experts leaving the military for better paying jobs. http://www.scmagazine.com/dod-needs-reinforcements-for-cyber-battles/article/460374/

FYI - LifeLock to pay record $100 million settlement with FTC - The Federal Trade Commission (FTC) today approved a $100 million settlement with LifeLock over a 2010 contempt charge, the largest such payout in FTC history. http://www.scmagazine.com/lifelock-settlement-an-ftc-record/article/460518/


FYI - DDoS attack knocks Danish Parliament website offline - The Danish Parliament website folketinget.dk was taken offline Friday morning in a distributed denial of service (DDoS) attack, parliamentary press spokesman Finn Tørngren Sorensen confirmed. http://www.scmagazine.com/ddos-attack-knocks-danish-parliament-website-offline/article/459253/

FYI - Alibaba customers targeted in Phishing attack - Customers of the online retail giant Alibaba are being specifically targeted with a phishing scam. http://www.scmagazine.com/alibaba-customers-targeted-in-phishing-attack/article/459403/

FYI - Moonfruit experiences DDoS, renewed threats, takes customer sites down - Moonfruit took its customer websites out of service Monday for “up to 12 hours,” after suffering a distributed denial of service (DDoS) attack and being under threat of further cyber-attacks. http://www.scmagazine.com/moonfruit-takes-down-customer-sites-for-up-to-12-hours-after-attack-threat/article/459511/

FYI - 13 Million MacKeeper Users Exposed - The makers of MacKeeper — a much-maligned software utility many consider to be little more than scareware that targets Mac users — have acknowledged a breach that exposed the usernames, passwords and other information on more than 13 million customers and, er…users.

FYI - POS attack hits Swiss Cleaners for 10 months - The Rockville, CT.-based dry cleaning firm Swiss Cleaners suffered a point of sale data breach that could have potentially stolen the data from every payment card type used in the eight-store chain for almost one year. http://www.scmagazine.com/pos-attack-hits-swiss-cleaners-for-10-months/article/459952/

FYI - Boston internet service disrupted briefly by DDoS attack - Internet service in Boston was disrupted on Tuesday in what is being called a “minor act of cybervandalism,” according to the Boston Herald. http://www.scmagazine.com/boston-officials-call-ddos-attack-on-internet-service-a-minor-act/article/460203/

FYI - Target back on naughty list with another security vulnerability - Did you make a wish list on Target's mobile app? Well Ho ho ho, your phone number and address are publicly accessible thanks to a newly discovered flaw. http://www.cnet.com/news/target-back-on-naughty-list-with-another-security-vulnerability/

FYI - Walgreens, Target shopping apps can expose customer data - Santa may know if you have been naught or nice, but that's nothing compared to the amount of information Walgreens and Target collects from its shopping app users. http://www.scmagazine.com/retailer-shopping-apps-expose-customer-data/article/460381/

FYI - Teen nets $150K from Chinese airline hack - A Chinese teenager hacked into the website of a Chinese airline, stole the information of hundreds of passengers and then used it to defraud them into paying additional fees for their flights, netting a cool $150,000 for his efforts. http://www.scmagazine.com/teenager-steals-booking-data-bilks-chinese-airlines-passengers/article/460372/
Return to the top of the newsletter

We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  
Managing Service Providers
Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.
 When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.
 Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

Return to the top of the newsletter

We begin our series on the FFIEC interagency Information Security BookletThis booklet is required reading for anyone involved in information systems security, such as the Network Administrator, Information Security Officer, members of the IS Steering Committee, and most important your outsourced network security consultants.  Your outsourced network security consultants can receive the "Internet Banking News" by completing the subscription for at https://yennik.com/newletter_page.htm.  There is no charge for the e-newsletter. 

Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of information technology (IT) -  related risks to the organization, business and trading partners, technology service providers, and customers. Organizations meet this goal by striving to accomplish the following objectives.
 1)  Availability - The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information and/or systems.
 2)  Integrity of Data or Systems - System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.
 3)  Confidentiality of Data or Systems - Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
 4)  Accountability - Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports non-repudiation, deterrence, intrusion prevention, intrusion detection, recovery, and legal admissibility of records.
 5)  Assurance - Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.
 Appropriate security controls are necessary for financial institutions to challenge potential customer or user claims that they did not initiate a transaction. Financial institutions can accomplish this by achieving both integrity and accountability to produce what is known as non-repudiation. Non-repudiation occurs when the financial institution demonstrates that the originators who initiated the transaction are who they say they are, the recipient is the intended counter party, and no changes occurred in transit or storage. Non-repudiation can reduce fraud and promote the legal enforceability of electronic agreements and transactions. While non-repudiation is a goal and is conceptually clear, the manner in which non-repudiation can be achieved for electronic systems in a practical, legal sense may have to wait for further judicial clarification.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 Chapter 4.2 Fraud and Theft

 Computer systems can be exploited for both fraud and theft both by "automating" traditional methods of fraud and by using new methods. For example, individuals may use a computer to skim small amounts of money from a large number of financial accounts, assuming that small discrepancies may not be investigated. Financial systems are not the only ones at risk. Systems that control access to any resource are targets (e.g., time and attendance systems, inventory systems, school grading systems, and long-distance telephone systems).
 Computer fraud and theft can be committed by insiders or outsiders. Insiders (i.e., authorized users of a system) are responsible for the majority of fraud. A 1993 InformationWeek/Ernst and Young study found that 90 percent of Chief Information Officers viewed employees "who do not need to know" information as threats. The U.S. Department of Justice's Computer Crime Unit contends that "insiders constitute the greatest threat to computer systems." Since insiders have both access to and familiarity with the victim computer system (including what resources it controls and its flaws), authorized system users are in a better position to commit crimes. Insiders can be both general users (such as clerks) or technical staff members. An organization's former employees, with their knowledge of an organization's operations, may also pose a threat, particularly if their access is not terminated promptly.
 In addition to the use of technology to commit fraud and theft, computer hardware and software may be vulnerable to theft. For example, one study conducted by Safeware Insurance found that $882 million worth of personal computers was lost due to theft in 1992.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated